DATA$CENTER$FIREWALL$PRODUCT$ANALYSIS$$

DATA$CENTER$FIREWALL$PRODUCT$ANALYSIS$$ $ $ Fortinet$FortiGate$1500D$v5.0,build0252 $ 2014$ $Ryan$Liles,$Chris$Thomas$ $ $

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Overview NSSLabsperformedanindependenttestoftheFortinetFortiGate1500Dv5.0,build0252.Theproductwas subjectedtothoroughtestingatthenssfacilityinaustin,texas,basedonthedatacenterfirewallmethodology v1.0availableonwww.nsslabs.com.thistestwasconductedfreeofchargeandnssdidnotreceiveany compensationinreturnforfortinet sparticipation. WhilethecompanionComparativeAnalysisReports(CAR)onsecurity,performance,andtotalcostofownership (TCO)willprovidecomparativeinformationaboutalltestedproducts,thisindividualProductAnalysisReport(PAR) providesdetailedinformationnotavailableelsewhere. Firewalldevicesdeployedwithinadatacentertypicallywillbesubjectedtosignificantlyhighertrafficlevelsthana firewallornextgenerationfirewall(ngfw)deployedatthecorporatenetworkperimeter.furthermore,data centertrafficmixeswillbecompletelydifferentfromatypicalcorporatenetworkperimeter;whereperimeter deviceswillbeexpectedtoprotectawiderangeofendruserapplications,adatacenterdevicemaybedeployedto protectasingletypeofserversupportingfarfewernetworkprotocolsandapplications.thedatacenterfirewall testingmethodologyfocusesontheseaspects. Product Fortinet$FortiGate$1500D$$ v5.0,build0252 Stability&Reliability PASS NSSITested$Throughput$ 39,667Mbps FirewallPolicyEnforcement PASS Figure$1$ $Overall$Test$Results$ Thedevicepassedallstabilityandreliabilitytests.Thedevicealsopassedallfirewallpolicyenforcementtests. TheFortinetFortiGate1500DisratedbyNSSat39,667Mbps,whichisinlinewiththevendorRclaimed performance(fortinetratesthisdeviceat40gbps).nssrtestedthroughputiscalculatedasanaverageofallthe "RealRWorld ProtocolMixesandthe21KBHTTPresponseRbasedcapacitytests. 2014NSSLabs,Inc.Allrightsreserved. 2

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Table$of$Contents$ $ Overview$...$2 Security$Effectiveness$...$5 Performance$...$7 RawPacketProcessingPerformance(UDPThroughput)...7 Latency UDP...8 ConnectionDynamics ConcurrencyandConnectionRates...8 HTTPConnectionsperSecondandCapacity...10 ApplicationAverageResponseTime HTTP...10 HTTPConnectionsperSecondandCapacity(withDelays)...11 RealRWorldTrafficMixes...11 Stability$&$Reliability$...$13 Management$&$Configuration$...$15 Total$Cost$of$Ownership$(TCO)$...$16 Installation(Hours)...16 PurchasePriceandTotalCostofOwnership...17 Value:TotalCostofOwnershipperProtectedRMbps...17 Detailed$Product$Scorecard$...$18 Test$Methodology$...$20 Contact$Information$...$20 $ $ 2014NSSLabs,Inc.Allrightsreserved. 3

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Table$of$Figures$ $ Figure1 OverallTestResults...2 Figure2 FirewallPolices...6 Figure3 RawPacketProcessingPerformance(UDPTraffic)...7 Figure4 UDPLatencyinMicroseconds...8 Figure5 ConcurrencyandConnectionRates...9 Figure6 HTTPConnectionsperSecondandCapacity...10 Figure7 AverageApplicationResponseTimeinMilliseconds...10 Figure8 HTTPConnectionsperSecondandCapacity(withDelays)...11 Figure9 RealWorldDataCenterTrafficMixes...12 Figure10 Stability&ReliabilityResults...13 Figure11 HighAvailabilityResults...14 Figure12 SensorInstallationTimeinHours...16 Figure13 3RYearTCO...17 Figure14 TotalCostofOwnershipperProtectedRMbps...17 Figure15 DetailedScorecard...19 2014NSSLabs,Inc.Allrightsreserved. 4

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D SecurityEffectiveness ThissectionverifiesthattheDUTiscapableofenforcingaspecifiedsecuritypolicyeffectively. Firewall$Policy$Enforcement Policiesarerulesthatareconfiguredonafirewalltopermitordenyaccessfromonenetworkresourcetoanother, basedonidentifyingcriteriasuchas:source,destination,andservice.atermtypicallyusedtodefinethe demarcationpointofanetworkwherepolicyisappliedisademilitarizedzone(dmz).policiesaretypicallywritten topermitordenynetworktrafficfromoneormoreofthefollowingzones: Untrusted$ Thisistypicallyanexternalnetworkandisconsideredto beunknownandnonrsecure.anexampleofanuntrustednetwork wouldbetheinternet. DMZ$ Thisisanetworkthatisbeingisolatedbythefirewallrestricting networktraffictoandfromhostscontainedwithintheisolated network. Trusted$ Thisistypicallyaninternalnetwork;anetworkthatis consideredsecureandprotected. TheNSSfirewalltestsverifyperformanceandtheabilitytoenforcepolicy betweenthefollowing: TrustedtoUntrusted UntrustedtoDMZ TrustedtoDMZ Note:FirewallsmustprovideataminimumoneDMZinterfaceinorderto provideadmzor transitionpoint betweenuntrustedandtrusted networks. 2014NSSLabs,Inc.Allrightsreserved. 5

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Test$Procedure$ BaselinePolicies SimplePolicies ComplexPolicies StaticNAT(NetworkAddressTranslation) Dynamic/HideNAT SYNFloodProtection AddressSpoofingProtection Results$ PASS PASS PASS PASS PASS PASS PASS Figure$2$ $Firewall$Polices$ $ 2014NSSLabs,Inc.Allrightsreserved. 6

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Performance ThereisfrequentlyatradeRoffbetweensecurityeffectivenessandperformance.BecauseofthistradeRoff,itis importanttojudgeaproduct ssecurityeffectivenesswithinthecontextofitsperformance(andviceversa).this ensuresthatnewsecurityprotectionsdonotadverselyimpactperformanceandsecurityshortcutsarenottaken tomaintainorimproveperformance. Raw$Packet$Processing$Performance$(UDP$Throughput)$ ThistestusesUDPpacketsofvaryingsizesgeneratedbytestequipment.Aconstantstreamoftheappropriate packetsize withvariablesourceanddestinationipaddressestransmittingfromafixedsourceporttoafixed destinationport istransmittedbirdirectionallythrougheachportpairofthedut. Eachpacketcontainsdummydata,andistargetedatavalidportonavalidIPaddressonthetargetsubnet.The percentageloadandframespersecond(fps)figuresacrosseachinrlineportpairareverifiedbynetwork monitoringtoolsbeforeeachtestbegins.multipletestsarerunandaveragestakenwherenecessary. Thistrafficdoesnotattempttosimulateanyformof realrworld networkcondition.notcpsessionsarecreated duringthistest,andthereisverylittleforthestateenginetodo.theaimofthistestispurelytodeterminethe rawpacketprocessingcapabilityofeachinrlineportpairofthedut,anditseffectivenessatforwardingpackets quicklyinordertoprovidethehighestlevelofnetworkperformanceandlowestlatency. 90,000 8 Megabits per Second 80,000 70,000 60,000 50,000 40,000 30,000 7 78,000 79,000 79,500 80,000 6 75,000 5 4 4 4 43,000 7 6 5 4 3 Latency (µs) 20,000 2 10,000 1 0 64 Byte Packets 128 Byte Packets 256 Byte Packets 512 Byte Packets 1024 Byte Packets 1514 Byte Packets Mbps 43,000 75,000 78,000 79,000 79,500 80,000 Latency (µs) 4 4 4 5 6 7 Figure$3$ $Raw$Packet$Processing$Performance$(UDP$Traffic)$ - $ TheFortiGate1500DshowedexceptionallatencyatallpacketsizesforUDPtraffic. 2014NSSLabs,Inc.Allrightsreserved. 7

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Latency$ $UDP$ Datacenterfirewallsthatintroducehighlevelsoflatencyleadtounacceptableresponsetimesforusers,especially wheremultiplesecuritydevicesareplacedinthedatapath.theseresultsshowthelatency(inmicroseconds)as recordedduringtheudpthroughputtestsat90%ofmaximumload. Latency$I$UDP$ Microseconds$ 64BytePackets 4 128BytePackets 4 256BytePackets 4 512BytePackets 5 1024BytePackets 6 1514BytePackets 7 Figure$4$ $UDP$Latency$in$Microseconds$ Connection$Dynamics$ $Concurrency$and$Connection$Rates$ TheuseofsophisticatedtestequipmentappliancesallowsNSSengineerstocreatetrue realworld trafficat multirgigabitspeedsasabackgroundloadforthetests. TheaimofthesetestsistostresstheinspectionengineanddeterminehowithandleshighvolumesofTCP connectionspersecond,applicationlayertransactionspersecond,andconcurrentopenconnections.allpackets containvalidpayloadandaddressdata,andthesetestsprovideanexcellentrepresentationofalivenetworkat variousconnection/transactionrates. Notethatinallteststhefollowingcritical breakingpoints wherethefinalmeasurementsaretaken areused: Excessive$concurrent$TCP$connections UnacceptableincreaseinopenconnectionsontheserverRside Excessive$response$time$for$HTTP$transactions Excessivedelaysandincreasedresponsetimetoclient Unsuccessful$HTTP$transactions Normally,thereshouldbezerounsuccessfultransactions.Theiroccurrence indicatesthatexcessivelatencyiscausingconnectionstotimeout. 2014NSSLabs,Inc.Allrightsreserved. 8

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D 8,000,000 3,000,000 7,000,000 6,829,697 6,979,895 2,565,000 2,500,000 6,000,000 2,000,000 Concurrent Connections 5,000,000 4,000,000 3,000,000 1,500,000 Connections / Second 1,000,000 2,000,000 500,000 1,000,000 273,600 282,150 0 without data with data TCP Connections/Sec 273,600 HTTP Connections/Sec 282,150 HTTP Transactions/Sec 2,565,000 Concurrent TCP Conns 6,829,697 6,979,895 Figure$5$ $Concurrency$and$Connection$Rates$ $ 0 2014NSSLabs,Inc.Allrightsreserved. 9

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D HTTP$Connections$per$Second$and$Capacity$ TheaimofthesetestsistostresstheHTTPdetectionengineanddeterminehowtheDUTcopeswithnetwork loadsofvaryingaveragepacketsizeandvaryingconnectionspersecond.bycreatinggenuinesessionrbasedtraffic withvaryingsessionlengths,thedutisforcedtotrackvalidtcpsessions,thusensuringahigherworkloadthanfor simplepacketrbasedbackgroundtraffic.thisprovidesatestenvironmentthatisascloseto realworld asitis possibletoachieveinalabenvironment,whileensuringabsoluteaccuracyandrepeatability. EachtransactionconsistsofasingleHTTPGETrequestandtherearenotransactiondelays(i.e.thewebserver respondsimmediatelytoallrequests).allpacketscontainvalidpayload(amixofbinaryandasciiobjects)and addressdata.thistestprovidesanexcellentrepresentationofalivenetwork(albeitonebiasedtowardshttp traffic)atvariousnetworkloads. 45,000 40,000 40,000 40,000 350,000 300,000 35,000 Megabits per Second 30,000 25,000 20,000 15,000 29,000 14,700 250,000 200,000 150,000 100,000 Connections / Sec 10,000 7,450 5,000 50,000 0 44 KB Response 21 KB Response 10 KB Response 4.5 KB Response 1.7 KB Response CPS 100,000 200,000 290,000 294,000 298,000 Mbps 40,000 40,000 29,000 14,700 7,450 Figure$6$ $HTTP$Connections$per$Second$and$Capacity$ 0 Application$Average$Response$Time$ $HTTP$ Application$Average$Response$Time$I$HTTP$(at$90%$Maximum$Load)$ Milliseconds$ 2,500ConnectionsPerSecond 44KBResponse 0.4 5,000ConnectionsPerSecond 21KBResponse 0.3 10,000ConnectionsPerSecond 10KBResponse 0.1 20,000ConnectionsPerSecond 4.5KBResponse 0.1 40,000ConnectionsPerSecond 1.7KBResponse 0.3 Figure$7$ $Average$Application$Response$Time$in$Milliseconds$ 2014NSSLabs,Inc.Allrightsreserved. 10

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D HTTP$Connections$per$Second$and$Capacity$(with$Delays)$ Typicaluserbehaviorintroducesdelaysbetweenrequestsandresponses,e.g. thinktime, asusersreadweb pagesanddecidewhichlinkstoclicknext.thisgroupoftestsisidenticaltothepreviousgroupexceptthatthese includea5seconddelayintheserverresponseforeachtransaction.thishastheeffectofmaintainingahigh numberofopenconnectionsthroughoutthetest,thusforcingthesensortoutilizeadditionalresourcestotrack thoseconnections. 45,000 40,000 40,000 40,000 350,000 300,000 35,000 Megabits per Second 30,000 25,000 20,000 15,000 29,000 29,000 250,000 200,000 150,000 100,000 Connections / Sec 10,000 5,000 50,000 0 21 KB Response 21 KB Response w/ Delay 10 KB Response Figure$8$ $HTTP$Connections$per$Second$and$Capacity$(with$Delays)$ 10 KB Response w/ Delay CPS 200,000 200,000 290,000 290,000 Mbps 40,000 40,000 29,000 29,000 0 RealIWorld$Traffic$Mixes$ Thistestmeasurestheperformanceofthedeviceundertestina realworld environmentbyintroducing additionalprotocolsandrealcontent,whilestillmaintainingapreciselyrepeatableandconsistentbackground trafficload.differentprotocolmixesareutilizedbasedontheintendedlocationofthedeviceundertest(network coreorperimeter)toreflectrealusecases.fordetailsaboutrealworldtrafficprotocoltypesandpercentages,see thenssnetworkfirewalldatacentertestmethodology,availableatwww.nsslabs.com. 2014NSSLabs,Inc.Allrightsreserved. 11

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D 45,000 40,000 35,000 40,000 40,000 38,000 40,000 40,000 30,000 25,000 Mbps 20,000 15,000 10,000 5,000 0 Real World Protocol Mix (Data center - Financial) Real World Protocol Mix (Data center - Virtualization Hub) Real World Protocol Mix (Data center - Mobile Applications) Figure$9$ $Real$World$Data$Center$Traffic$Mixes$ Real World Protocol Mix (Data center - Web Apps) Real World Protocol Mix (Data center - ISP) Mbps 40,000 40,000 38,000 40,000 40,000 TheFortiGate1500DperformedinRlinewiththethroughputclaimedbythevendorwithallmixesexceptformobile applications,whereitperformedslightlybelowitsratedthroughputanditsvendorrclaimedthroughput. 2014NSSLabs,Inc.Allrightsreserved. 12

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Stability&Reliability LongRtermstabilityisparticularlyimportantforaninRlinedevice,wherefailurecanproducenetworkoutages. ThesetestsverifythestabilityoftheDUTalongwithitsabilitytomaintainsecurityeffectivenesswhileunder normalloadandwhilepassingmalicioustraffic.productsthatarenotabletosustainlegitimatetraffic(orthat crash)whileunderhostileattackwillnotpass. TheFortiGate1500Disrequiredtoremainoperationalandstablethroughoutthesetests,andtoblock100%of previouslyblockedtraffic,raisinganalertforeach.ifanynonrallowedtrafficpassessuccessfully,causedbyeither thevolumeoftrafficorthedutfailingopenforanyreason,thiswillresultinafail. Test$Procedure$ BlockingUnderExtendedAttack PassingLegitimateTrafficUnderExtendedAttack ProtocolFuzzing&Mutation PowerFail Redundancy PersistenceofData Result$ PASS PASS PASS PASS YES PASS Figure$10$ $Stability$&$Reliability$Results$ 2014NSSLabs,Inc.Allrightsreserved. 13

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D HighAvailability(HA)(Optional)$ Highavailability(HA)isimportanttomanyenterprisecustomers,andthistablerepresentsthevendorsHAfeature set.ifnohaofferingwassubmittedfornsstovalidate,allresultsinthissectionwillbemarkedas N/A. Description$ Failover LegitimateTraffic TimetoFailover StatefulOperation Active/ActiveConfiguration Results$ PASS 0.1seconds PASS PASS Figure$11$ $High$Availability$Results$ 2014NSSLabs,Inc.Allrightsreserved. 14

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Management&Configuration Securitydevicesarecomplicatedtodeploy;essentialsystemssuchascentralizedmanagementconsoleoptions,log aggregation,andeventcorrelation/managementsystemsfurthercomplicatethepurchasingdecision. Understandingkeycomparisonpointswillallowcustomerstomodeltheoverallimpactonnetworkservicelevel agreements(slas),estimateoperationalresourcerequirementstomaintainandmanagethesystems,andbetter evaluaterequiredskill/competenciesofstaff. Enterprisesshouldincludemanagement&configurationduringtheirevaluationfocusingthefollowingat minimum: General$Management$and$Configuration$ howeasyisittoinstallandconfiguredevices,anddeploymultiple devicesthroughoutalargeenterprisenetwork? Policy$Handling$ howeasyisittocreate,edit,anddeploycomplicatedsecuritypoliciesacrossanenterprise? Alert$Handling$ howaccurateandtimelyisthealerting,andhoweasyisittodrilldowntolocatecritical informationneededtoremediateasecurityproblem? Reporting$ $howeffectiveisthereportingcapability,andhowreadilycanitbecustomized? 2014NSSLabs,Inc.Allrightsreserved. 15

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D TotalCostofOwnership(TCO) Implementationofsecuritysolutionscanbecomplex,withseveralfactorsaffectingtheoverallcostofdeployment, maintenanceandupkeep.alloftheseshouldbeconsideredoverthecourseoftheusefullifeofthesolution. Product$Purchase$ Thecostofacquisition. Product$Maintenance$ Thefeespaidtothevendor(includingsoftwareandhardwaresupport,maintenance andotherupdates.) Installation$ Thetimerequiredtotakethedeviceoutofthebox,configureit,putitintothenetwork,apply updatesandpatches,andsetupdesiredloggingandreporting. Upkeep$ Thetimerequiredtoapplyperiodicupdatesandpatchesfromvendors,includinghardware, software,andotherupdates. Management$ DayRtoRdaymanagementtasksincludingdeviceconfiguration,policyupdates,policy deployment,alerthandling,andsoon. Forthepurposesofthisreport,capitalexpenditure(CAPEX)itemsareincludedforasingledeviceonly(thecostof acquisitionandinstallation.) Installation$(Hours)$ Thistabledetailsthenumberofhoursoflaborrequiredtoinstalleachdeviceusinglocaldevicemanagement optionsonly.thiswillreflectaccuratelytheamountoftimetakenfornssengineers,withthehelpofvendor engineers,toinstallandconfiguretheduttothepointwhereitoperatessuccessfullyinthetestharness,passes legitimatetrafficandblocks/detectsprohibited/malicioustraffic.thiscloselymimicsatypicalenterprise deploymentscenarioforasingledevice. Costsarebaseduponthetimerequiredbyanexperiencedsecurityengineer(assumed$75perhourforthe purposesofthesecalculations)allowingnsstoholdconstantthetalentcostandmeasureonlythedifferencein timerequiredforinstallation.readersshouldsubstitutetheirowncoststoobtainaccuratetcofigures. Product$ Fortinet$FortiGate$1500D$$ v5.0,build0252 Installation$(Hours)$ 8 Figure$12$ $Sensor$Installation$Time$in$Hours$ 2014NSSLabs,Inc.Allrightsreserved. 16

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D Purchase$Price$and$Total$Cost$of$Ownership$ CalculationsarebasedonvendorRprovidedpricinginformation.Wherepossible,the24/7maintenanceand supportoptionwith24rhourreplacementisutilized,sincethisistheoptiontypicallyselectedbyenterprise customers.pricesareforsingledevicemanagementandmaintenanceonly;costsforcentraldevicemanagement (CDM)solutionsmaybeextra.ForadditionalTCOanalysis,includingCDM,refertotheTCOCAR. Product$ Fortinet$FortiGate$ 1500D$$ v5.0,build0252 Purchase$ Maintenance$ /$year$ Year$1$ Cost$ Year$2$ Cost$ Year$3$ Cost$ 3IYear$$ TCO$ $24,998 $5,649 $31,067 $6,369 $6,369 $43805 Figure$13$ $3IYear$TCO$ Year$1$Costiscalculatedbyaddinginstallationcosts($75USDperhourfullyloadedlaborxinstallationtime)+ purchaseprice+firstryearmaintenance/supportfees. Fortinetmaintenancefeesarecalculatedwiththe3RyearcostofanupRfrontpurchasedividedevenlyoverthe3R yearterm. Year$2$Cost$consistsonlyofmaintenance/supportfees.$ Year$3$Cost$consistsonlyofmaintenance/supportfees.$ ThisprovidesaTCOfigureconsistingofhardware,installationandmaintenancecostsforasingledeviceonly.TCO calculationsformultipledevicesaremodeledextensivelyinthetcocar. Value:$Total$Cost$of$Ownership$per$ProtectedIMbps$ Thereisacleardifferencebetweenpriceandvalue.Theleastexpensiveproductdoesnotnecessarilyofferthe greatestvalueifitofferssignificantlylowerperformancethanonlyslightlymoreexpensivecompetitors.thebest valueisaproductwithalowtcoandhighlevelofthroughput. Figure14depictstherelativecostperunitofworkperformed,describedasTCOperProtectedRMbps. Product$ Fortinet$FortiGate$1500D$$ v5.0,build0252 NSSITested$ Throughput$ 3IYear$TCO$ TCO$Per$ProtectedI Mbps$ 39,667Mbps $43,805 $1.10 Figure$14$ $Total$Cost$of$Ownership$per$ProtectedIMbps$ TCOperProtectedRMbpswascalculatedbytakingthe3RYearTCOanddividingitbytheNSSRTestedThroughput. Therefore3RYearTCO/NSSRTestedThroughput=TCOperProtectedRMbps. TCOisforsingledevicemaintenanceonly;costsforcentraldevicemanagement(CDM)solutionsmaybeextra.For additionaltcoanalysis,refertothetcocar. 2014NSSLabs,Inc.Allrightsreserved. 17

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D DetailedProductScorecard Thefollowingchartdepictsthestatusofeachtestwithquantitativeresultswhereapplicable. SecurityEffectiveness FirewallPolicyEnforcement BaselinePolicy PASS SimplePolicy PASS ComplexPolicy PASS StaticNAT PASS Dynamic/HideNAT PASS SynFloodProtection PASS AddressSpoofingProtection PASS Performance UDPThroughput Mbps 64BytePackets 43000 128BytePackets 75000 256BytePackets 78000 512BytePackets 79000 1024BytePackets 79500 1514BytePackets 80000 LatencyRUDP Microseconds 64BytePackets 4.0 128BytePackets 4.0 256BytePackets 4.0 512BytePackets 5.0 1024BytePackets 6.0 1514BytePackets 7.0 ConnectionDynamics ConcurrencyandConnectionRates TheoreticalMax.ConcurrentTCPConnections 6,829,697 TheoreticalMax.ConcurrentTCPConnectionsw/Data 6,979,895 MaximumTCPConnectionsPerSecond 273,600 MaximumHTTPConnectionsPerSecond 282,150 MaximumHTTPTransactionsPerSecond 2,565,000 HTTPCapacityWithNoTransactionDelays 2,500ConnectionsPerSecond 44KBResponse 100,000 5,000ConnectionsPerSecond 21KBResponse 200,000 10,000ConnectionsPerSecond 10KBResponse 290,000 20,000ConnectionsPerSecond 4.5KBResponse 294,000 40,000ConnectionsPerSecond 1.7KBResponse 298,000 ApplicationAverageResponseTimeRHTTP(at90%MaxLoad) Milliseconds 2,500ConnectionsPerSecond 44KBResponse 0.4 5,000ConnectionsPerSecond 21KBResponse 0.3 10,000ConnectionsPerSecond 10KBResponse 0.1 20,000ConnectionsPerSecond 4.5KBResponse 0.1 40,000ConnectionsPerSecond 1.7KBResponse 0.3 HTTPCPS&CapacityWithTransactionDelays 21KBResponseWithDelay 280,000 10KBResponseWithDelay 348,000 2014NSSLabs,Inc.Allrightsreserved. 18

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D RealWorld Traffic RealWorld ProtocolMix(DatacenterRFinancial) 40,000 RealWorld ProtocolMix(DatacenterRVirtualizationHub) 40,000 RealWorld ProtocolMix(DatacenterRMobileApplications) 38,000 RealWorld ProtocolMix(DatacenterRWebApps) 40,000 RealWorld ProtocolMix(DatacenterRISP) 40,000 Stability&Reliability BlockingUnderExtendedAttack PASS PassingLegitimateTrafficUnderExtendedAttack PASS ProtocolFuzzing&Mutation PASS PowerFail PASS Redundancy PASS PersistenceofData PASS FailoverRLegitimateTraffic PASS FailoverRTimetoFailover.1Seconds StatefulOperation PASS ActiveRActiveConfiguration PASS TotalCostofOwnership EaseofUse InitialSetup(Hours) 8 ExpectedCosts InitialPurchase(hardwareastested) $24,998 InstallationLaborCost(@$75/hr) $600 AnnualCostofMaintenance&Support(hardware/software) $6,369 InitialPurchase(enterprisemanagementsystem) SeeCAR AnnualCostofMaintenance&Support(enterprisemanagementsystem) SeeCAR TotalCostofOwnership Year1 $31,067 Year2 $6,369 Year3 $6,369 3RYearTotalCostofOwnership $43,805 Figure$15$ $Detailed$Scorecard$ Mbps 2014NSSLabs,Inc.Allrightsreserved. 19

NSSLabs DataCenterFirewallProductAnalysis FortinetFortiGate1500D TestMethodology Methodology$Version:NetworkFirewall DataCenterv1.0 AllTestIDsinthisreportrefertothemethodologydocument,notnecessarilytosectionsinthisreport. AcopyofthetestmethodologyisavailableontheNSSLabswebsiteatwww.nsslabs.com. ContactInformation NSSLabs,Inc. 206WildBasinRd BuildingA,Suite200 Austin,TX78746 +1(512)961R5300 info@nsslabs.com www.nsslabs.com Thisandotherrelateddocumentsavailableat:http://www.nsslabs.com.Toreceivealicensedcopyorreport misuse,pleasecontactnsslabsat+1(512)961r5300orsales@nsslabs.com. 2014NSSLabs,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedonaretrieval system,ortransmittedwithouttheexpresswrittenconsentoftheauthors. Pleasenotethataccesstooruseofthisreportisconditionedonthefollowing: 1.TheinformationinthisreportissubjecttochangebyNSSLabswithoutnotice. $ 2.TheinformationinthisreportisbelievedbyNSSLabstobeaccurateandreliableatthetimeofpublication,butisnot guaranteed.alluseofandrelianceonthisreportareatthereader ssolerisk.nsslabsisnotliableorresponsibleforany damages,losses,orexpensesarisingfromanyerrororomissioninthisreport. 3.NOWARRANTIES,EXPRESSORIMPLIEDAREGIVENBYNSSLABS.ALLIMPLIEDWARRANTIES,INCLUDINGIMPLIED WARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNONRINFRINGEMENTAREDISCLAIMEDAND EXCLUDEDBYNSSLABS.INNOEVENTSHALLNSSLABSBELIABLEFORANYCONSEQUENTIAL,INCIDENTALORINDIRECT DAMAGES,ORFORANYLOSSOFPROFIT,REVENUE,DATA,COMPUTERPROGRAMS,OROTHERASSETS,EVENIFADVISEDOFTHE POSSIBILITYTHEREOF. 4.Thisreportdoesnotconstituteanendorsement,recommendation,orguaranteeofanyoftheproducts(hardwareor software)testedorthehardwareandsoftwareusedintestingtheproducts.thetestingdoesnotguaranteethatthereareno errorsordefectsintheproductsorthattheproductswillmeetthereader sexpectations,requirements,needs,or specifications,orthattheywilloperatewithoutinterruption. 5.Thisreportdoesnotimplyanyendorsement,sponsorship,affiliation,orverificationbyorwithanyorganizationsmentioned inthisreport. 6.Alltrademarks,servicemarks,andtradenamesusedinthisreportarethetrademarks,servicemarks,andtradenamesof theirrespectiveowners. 2014NSSLabs,Inc.Allrightsreserved. 20